Codebase Browser
chromium
Go to App

chromium/third_party/blink/web_tests/http/tests/security/canvas-remote-read-remote-svg-image.html 

<!doctype html>
<script src="/resources/testharness.js"></script>
<script src="/resources/testharnessreport.js"></script>
<body></body>
<script>

async_test(function(t) {
  var canvas = document.createElement("canvas");
  canvas.width = canvas.height = 100;

  var svg = document.createElementNS('http://www.w3.org/2000/svg','svg');
  var image = document.createElementNS("http://www.w3.org/2000/svg", "image");
  svg.appendChild(image);
  image.setAttribute('href',
    'http://localhost:8000/security/resources/red200x100.png');

  var ctx = canvas.getContext("2d");

  image.addEventListener('load', t.step_func_done(function() {
    ctx.drawImage(image, 0, 0);

    assert_throws_dom("SecurityError", function() {
      var c = ctx.getImageData(0, 0, 1, 1);
    }, "We are trying cross-origin getImageData");
  }));

  document.body.appendChild(canvas);
  document.body.appendChild(svg);
}, "Checks no cross-origin on tainted canvas due to SVG image");

</script>